Organizations on their way to stricter security tests to ensure compliance

According to a new Synack survey, more companies are using external suppliers and crowdsourced testing to meet their security needs.

Dealing with endpoint protection without overwhelming professionals with information overload
Chris Bell, director of product management at Secureworks, describes the difficult balance of finding useful information for security professionals without exhausting them with information overload.

Organizations are confronted with different tensions to ensure that their data, infrastructure, applications and other business assets meet the necessary security requirements.

In addition to scheduling time and determining the best processes for security testing, companies face greater pressure from their own boards and from supervisors to maintain compliance with security standards.

Practices described by such regulations as GDPR and HIPAA now require or recommend more frequent audits with penetration testing. To meet these requirements, many companies are turning to a more rigorous and continuous process of security testing, according to new research results released by Synack on December 4.

SEE: Special report: a winning strategy for cyber security (free PDF) (TechRepublic)

As detailed in Synack’s “The 2020 State of Compliance and Security Testing Report,” 44% of respondents said they perform monthly security tests to better understand and assess their current security level. About 30% said they perform such tests on a quarterly basis, while 9% do it every six months and 10% only once a year.

But regular security tests can be a challenge. Although 41% of respondents said they were satisfied with their current security compliance testing process, 59% acknowledged certain issues.

The biggest challenge is the enormous costs, because companies have to take into account the costs of the test activity, the costs of remediation, the costs of scaling efficiently, the costs of integration with their DevOps processes and software pipelines and the costs of dealing with false positives or poorly reported problems.

Other stumbling blocks reported by the respondents include the time needed to schedule security tests, the ability to manage testers, the quality of the tests, and the time spent on testing.

A typical security test takes one to two weeks to have enough time for analysis, Synack says. But among the respondents, 41% spend less than eight hours on a standard test, 30% spend 9 to 20 hours, 13% spend 21 to 41 hours and 9% spend 41 to 80 hours. Only 7% spend more than 80 hours.

The low number of hours spent on each test can be a result of limited budgets and small team sizes, says Synack, especially if employees have to deal with different assets. Another cause may be the difficulty in finding high-quality suppliers for testing.

“Although we see a move toward a 24/7, 365 security culture among organizations in a wide range of industries and regions, there is still much room for improvement,” said Aisling MacRunnels, Chief Marketing Officer of Synack, in a press release.

“Our research found that most security tests only take 20 hours on average,” MacRunnels said. “As the number of cyber incidents continues to increase, it is imperative for decision makers to continuously implement security testing solutions with 1500-2000 test hours per year.”

Security tests have also become more demanding due to faster cycles of application development. Agile and DevOps methodologies push code to production more often, according to Synack.

As a result, some organizations have their developers perform security tests to reduce last-minute problems and reduce costs by finding bugs earlier in the development cycle.

To help with their security tests, more companies are looking externally. About 43% of respondents said they have used one or more external security testing providers to perform their compliance and security testing.

Companies usually rely on external security vendors to supplement their own resources, to acquire specialist skills that they do not possess internally, and to gain an independent perspective without internal bias. External suppliers are also used for specific purposes.

About 63% of respondents said they use external security providers to identify and mitigate vulnerabilities, while 47% use them to comply with compliance mandates.

But relying on multiple security providers entails its own challenges. A little more than half of the respondents say they see an overlap in the capabilities of their external security providers.

This type of overlap can lead to unnecessary redundancy, inconsistent results and inefficient budgeting. In general, larger companies tend to have the best suppliers, which can lead to a larger number, while smaller companies focus more on some trusted partners.

Finally, crowdsourcing security testing is one of the areas that are just starting to gain. Among the respondents from larger companies, 8% said they started using Crowdsourced Security Testing methods to respond to certain challenges in compliance testing. This usually takes the form of bugs that reward external investigators who discover security errors.

“The rapid embrace of crowdsourced safety testing has happened because it has proven to work better than traditional security testing methods and tackles the ever-growing talent gap within organizations,” said Mark Kuhr, chief technology officer and co-founder of Synack, in the release. .

A useful approach may be to combine more structured and traditional compliance penetration testing with more unstructured but stimulated bug bounty programs.

However, Synack warns companies to remember that not all Crowdsourced Security Testing is the same and that some methods involve a greater risk for security testing.

To compile the report, Synack interviewed more than 311 organizations in North America in different industries. Among the sectors represented in the research were technology, government, health care, information technology and financial services.

Cyber ​​Security Insider Newsletter

Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday

Register today

Also see

Olivier Le Moal, Getty Images / iStockphoto

Similar Posts

Leave a Reply